Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

The barrage of troubling enterprise security breaches continued last month when MasterCard International announced that a lapse on the part of its partner, CardSystems Solutions, had exposed 68,000 customers to a high risk of theft.

As a third-party payment processor for MasterCard, Visa and American Express, CardSystems had access to vast amounts of customer data—most of which it was not supposed to keep on its servers but, rather, discard after transaction processing. In addition, much of the data was stored unencrypted, despite the credit card companies requirements to the contrary.

CardSystems has even acknowledged that it kept the three-digit security codes—the codes that are supposed to make a credit card number alone insufficient—in the same unencrypted store with those account numbers.

This incident also brings to light more serious issues regarding inappropriate data usage. CardSystems has claimed that it retained data for the purpose of investigating spurious reports of failure to complete transactions. We dont think that reason is good enough—especially when CardSystems was under a contractual obligation to encrypt the data on hand and discard it as soon as possible.

Further reading

Whatever CardSystems claims it was using the data for, its excuses do nothing to cushion the blow to the thousands of credit card holders who faced elevated risks of fraud. Credit card issuers such as Citigroup, JPMorgan Chase and MBNA America Bank should reverse their current policy of not notifying cardholders unless their accounts are defrauded.

Such disclosures are mandated by the California Security Breach Information Act, in effect since July 1, 2003, which requires companies based in California or with customers in California to notify the customers whenever their unencrypted personal information may have been compromised.

The incident should serve as a wake-up call for every company to take a fresh look at what kind of data it keeps, for how long and in what form—and to discard data, or replace it with statistics for future research or reporting, at the earliest opportunity. Data that is no longer stored cant be snooped.

Until a better alternative comes along, credit cards will play a crucial role in the economy. But with the sheer number of mergers and acquisitions—not to mention bankruptcies—occurring today, a large amount of data is floating around in a vulnerable state.

Whether that data is stored internally or by a third-party partner, a failure on the part of any organization to set and follow strict guidelines on whether the data should be stored at all and when it should be discarded makes storage vendors rich today—and could make plaintiffs attorneys richer tomorrow.

Corporate executives and IT managers must work together to define how their companies store and use sensitive data. Then they must consistently implement the practices they define.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.